New users can't log into /mydevices or /profilemanager

Question

New users can't log into /mydevices or /profilemanager

Hi all,

I've got Profile Manager up and running and have deployed about 25 iPads using the current setup.

My configuration has not changed but all of sudden, new users created today can not log into /mydevices or /profilemanager. Says the username or password is incorrect, but they're entered properly. Again, the configuration of the server has NOT changed since users entered (and working) last week.

Anyone have this issue? If anyone can shed some light, I'd really appreciate it.

Apple: Lion Server is buggy as ****. Profile Manager is buggy as ****. I've spent hours on the phone with Apple support with one issue after another. I'm getting sick of the instability and crankiness of Lion Server. These forums are chalked full of people having such a massive range of issues that I can only draw one conculsion: Lion Server is half baked.

Please help (again),

Chris

8 core 2.8GHz Mac Pro, Mac OS X (10.7.1), 32GB RAM, 150 TB

Posted on Sep 26, 2011 3:46 PM

Reply

Answer 1

Sep 26, 2011 4:32 PM in response to Chris Marriott

I figured out a workaround, but HOLY CRAP LION SERVER IS RIDDLED WITH BUGS!

Creating a user from Server.app resulted in that user not being able to access /mydevices or /profilemanager. Trying to log in resulted in the server saying the username or password was entered incorrectly.

So, after screwing around, I used Workgroup Manager, created a preset from one of the users who could log in, and then created a user with that preset. It worked. New users created with that preset can log into their mydevices portal and profile manager via the web.

But seriously, Apple, Lion Server is not ready for prime time. This has to be the worst release yet. Love the fact that things are easy to do, but unfortunately, Lion Server is not reliable and is nearly impossible to recommend with any conviction or belief it will function as advertised.

I have to use three different apps and the Terminal to administer a Lion Server. I'm using the terminal at least 10 times more often than I did in SL Server. Lion's documentation is awful. Just awful. It's so nondescript that it's laughable (as a defense mechanism for feeling helpless).

Apple, we run your server hardware (what's left of it) and your server OS because we choose to. And because we need to in order to support Macs and iDevices. If it cost $500 like it used to, we'd still buy it. I believe that you (Apple) figure that charging only $40 absolves you of any responsibility to create a serious server product, but it doesn't. And Lion Server is not a serious server product. It could be, but it's so buggy that frankly, someone needs to take you to task for it. Don't you realize a stable server product is often THE single reason for Macs and iDevices being able to work in businesses and the enterprise at all??

Come on! You've fed us a load of bull. Lion Server is half baked. And it's sad, because it really could have been an awesome OS and set of tools. Are you going to get serious about it, or just pretend that your product works?

Chris Marriott

Reply

Answer 2

rebootq

Level 1

0 points

Oct 27, 2011 10:01 AM in response to Chris Marriott

i have also seen this issue - you have to create augmented users in workgrou manager and not via server.app - otherwise it doesn't work

Reply

Answer 3

Oct 27, 2011 10:08 AM in response to Chris Marriott

To clarify, did you make sure the new users are allowed to use Profile Manager (SACL)? You can configure this in Server.app (select the user, use the gear menu and select Edit Access To Services) or in Workgroup Manager.

Reply

Answer 4

Oct 27, 2011 10:11 AM in response to Beans Brown

Users created in Server.app definitley have Profile Manager checked off for access to serviecs. The problem still exists for us on two different servers now. Unless we create a user using presets in Workgroup Manager, they can't log in.

Chris

Reply

Answer 5

Oct 27, 2011 10:16 AM in response to Chris Marriott

Strange... just a hunch but what happens if you toggle Profile Manager access off and back on? Not sure why new users aren't working off hand though. I just created a new user with Server.app and that user can log in to /mydevices.

Reply

Answer 6

Oct 27, 2011 10:38 AM in response to Beans Brown

To clarify, I meant toggling Profile Manager access for the user, not turning the service off and back on. 🙂

Reply

Answer 7

Oct 27, 2011 10:39 AM in response to Beans Brown

Toggling access to Profile Manager for a new user on and off doesn't have any affect.

Chris

Reply

Answer 8

Oct 27, 2011 10:45 AM in response to Chris Marriott

Well, I believe access to Profile Manager depends on the com.apple.access_devicemanagement group in the local domain. For example:

dscl /LDAPv3/127.0.0.1 -read /Users/chrismarriott GeneratedUID

GeneratedUID: 3DC01AC3-8BB4-4657-9F35-759BA7B7C7A1

dscl . -read /Groups/com.apple.access_devicemanagement GroupMembers

GroupMembers: E44FEDEF-9B8C-4774-A790-81752E2D364D 37A781F0-A197-48DE-B585-FC4E1F8BE208 B064DE1E-6E5F-47EC-82E8-A1C3B99829AE 73989374-2AFA-4ED7-8EB9-827D5F1D5CED EF5C06A1-50A1-41D3-967A-0EE73EF09088 843AA0AA-1748-4256-B8B3-89263A1D5E7E F7905E2D-6CD8-4CF7-B5C8-ADDF4484FBDF C03C9E96-4464-40D5-8DDF-2B1F6588B02A 3DC01AC3-8BB4-4657-9F35-759BA7B7C7A1

dseditgroup -o checkmember -m chrismarriott com.apple.access_devicemanagement

yes chrismarriott is a member of com.apple.access_devicemanagement

Reply

Answer 9

rebootq

Level 1

0 points

Oct 28, 2011 8:30 AM in response to Chris Marriott

I got my problem solved - and here is a few things to note and some steps to resolve the issue.

1) you do not need to create augmented users - unless you need extra settings for local logins (you most likely won't have users logging into your mav) - if you are using AD that is - if not just create local users

2) server is buggy - perhaps - but after dealing with this issue for a few days - as much as i want to agree with it i want to say that now it is running very smoothly - and it boils down to order of steps in the install

4) do not change hostnames once it's set up - that will scre it up even worse

here is what i woudl suggest to blow it away and reset it up

1) system pref - users and groups - login options - network account server - edit - unjoin the domain

2) blow away your open directory and profile manager in command line

sudo /usr/share/devicemgr/backend/wipeDB.sh

sudo slapconfig -destroyldapserver

3) reset apache web config

sudo /serveradmin command web:command=restoreFactorySettings

4)make sure your hostname is correct

5) join domain (if needed)

on command line veryfiy ad is working by typing

user "username" where username is username of AD user

6) if AD set up - check dns search order - make sure no local host (127.0.0.1) is in the list

system preferences - network - ethernet - advanced -dns - remove 127.0.0.1 if there (only if using AD)

6) server admin - open directory - settings - change - set up as standalone

configure yoru ldap server - this will reissue signing authority certificate that you will need if you want to sign your configurations profiles for clients (iOS and Mac)

7) then configure profile manager

Reboot after step 2 - step 3, step 6

if you have a firewall infront of the server there will be aditinal ports required for SCEP

http://support.apple.com/kb/TS1629

you will need port 80,443 and 1640

If you have a reverse proxy you will need to set up a trust to the cetificate on the proxy to the authority configured in the open ldap - different topic - but just tought it was worth mentioning

Reply

Answer 10

Dec 10, 2015 3:46 AM in response to rebootq

Hello,

thanks for the post - some good info on there.

Do you have any further guidance with

" If you have a reverse proxy you will need to set up a trust to the cetificate on the proxy to the authority configured in the open ldap - different topic"

thanks

Reply